Microsoft Advance Notification – July 2014

(1 votes, average: 5.00 out of 5)You need to be a registered member to rate this post.

This month, I’m writing this blog post at 1:00 a.m. on U.S. Independence Day – the 4th of July – on a cruise ship in the middle of the ocean in route to beautiful Skagway, Alaska. Holiday or not, IT pros are looking for a sneak preview of what we’re facing on Patch Tuesday, and I’m sure many are keeping fingers crossed in hopes that the post-celebratory updating duties will go smoothly.

The bad news is: this isn’t going to be one of those always-welcome “two patch Tuesdays.” The good news is: it’s also not going to be one of those fifteen-patch back breakers. Microsoft is releasing six patches this time, with only a couple of them rated as critical and four more that are classified as important.

As is so often the case, the two critical patches will address vulnerabilities that can allow for remote code execution. This is, of course, one of the most dangerous types of exploits because it can enable an attacker to take over complete control of the targeted computer. Three of the important patches fix flaws that could be used to gain an elevation of privileges. Because an attacker could potentially capture administrative access through this type of exploit, it’s also a serious matter. However, given the lower severity rating, it’s likely that at least some of these are exploits that would require users to take some action – such as opening an email attachment or visiting a web site that contains the malicious code – and thus proper user education could help to prevent these threats from affecting your systems. The one remaining patch addresses a Denial of Service vulnerability.

Five of these patches are for vulnerabilities in various versions of the Windows operating system with one of the critical patches also pertaining to Internet Explorer. All supported versions of IE are affected (versions 6-11) on all supported versions of the Windows OS with the exception of server core installations (which, of course, don’t have web browsers installed). That includes Windows 8/8.1 and Windows RT. Bulletins 1-4 affect RT as well as the Intel-based versions of Windows, but Bulletins 5 and 6 do not. While rated critical on the client operating systems, the IE patch is only rated moderate on Windows Server, since IE is more locked down by default. The sixth patch affects Microsoft service bus for Windows Server (we’ll go into more detail about that in the Patch Tuesday Roundup).

In summary, it looks to be a moderately light Patch Tuesday. There are no patches for Microsoft Office programs this time – which can be counted as good news since it seems that most of the updates that have caused problems recently have been patches for Office. We will, of course, provide the nitty-gritty details on each of these as soon as they’re released, and if we get reports of any unpleasant side effects from the installation of any of the patches, we’ll get that news out to you as quickly as possible, along with any suggested solutions or mitigations. Always check the security bulletins themselves for detailed instructions on any special prerequisites before applying the patches, and it’s always best practices to test the patches before rolling them out on your production machines.

I’ll be back next week with the full low-down on these six patches and if we’re lucky, they won’t cause any fireworks.

About the Author: Debra Littlejohn Shinder

Debra Littlejohn Shinder has been working and writing in the field of IT security since 1998. She’s an author of and contributor to over 25 books on computer technology, including “Scene of the Cybercrime,” based on her previous experience as a police officer and police academy instructor. Deb is owner and CEO of TACteam (Training, Authoring and Consulting) and has contracted with Microsoft, Intel, HP, Prowess Consulting, Sunbelt Software, GFI Software, ConfigureSoft, 2X Software and other software and hardware companies. She currently writes articles and blogs for Windowsecurity.com, WindowsNetworking.com and CloudComputingAdmin.com as well as GFI’s Talk Tech to Me and Patch Central, and has published more than 1800 articles for web sites and print magazines. Deb has been a Microsoft MVP in the area of enterprise security for the past eleven years.